Honeywell and Rockwell Vulnerabilities: Addressing Recent ICS Security Flaws

The recent discovery of vulnerabilities in industrial control systems (ICS) manufactured by Honeywell and Rockwell Automation has sparked serious concerns in digital security. The potential disruptions or damage to operations across sectors that depend on these systems are significant. 

This article provides an insightful overview of the vulnerabilities, the potential risks associated with these vulnerabilities, recommended mitigation strategies, and specific guidance for clients on leveraging Verve technology and support to address these vulnerabilities efficiently and effectively.  

About the Honeywell Vulnerabilities 

Honeywell detected critical vulnerabilities in its Experion PKS, LX, and PlantCruise systems. These vulnerabilities show a low attack complexity and enable remote exploitation. If malicious actors gain access, they can infiltrate the operational memory of these systems, potentially engaging in unauthorized activities. 

Heap-based Buffer Overflow (CWE-122): Assigned CVE-2023-23585; this vulnerability may trigger a denial-of-service condition when dealing with a specially crafted message. Its CVSS v3 base score of 9.8 signals its critical severity.

Stack-based Buffer Overflow (CWE-121): Linked to CVE-2023-25078, this flaw could lead to a denial-of-service or remote code execution while handling a specific configuration operation. Its CVSS v3 base score of 9.8 marks it as critically severe. 

Out-of-bounds Write, Uncontrolled Resource Consumption, Improper Encoding or Escaping of Output, Deserialization of Untrusted Data, Improper Input Validation, and Incorrect Comparison: These vulnerabilities, all with CVSS v3 base scores of 9.8, may result in denial-of-service, privilege escalation, or remote code execution. 

Insufficient Verification of Data Authenticity: CVE-2023-25178 could enable attackers to load malicious firmware, potentially enabling remote code execution. It carries a CVSS v3 base score of 7.5. 

Understanding the Risks 

The repercussions of exploiting these vulnerabilities could be severe, including denial-of-service conditions, privilege escalation, and remote code execution, leading to losing visibility and control of Operational Technology (OT) processes. 

An attacker exploiting CVE-2023-25178 could load malicious firmware and execute remote code. 

These vulnerabilities impact both the software and firmware aspects of multiple Honeywell products. Most control environments have several endpoints, all of which expose these vulnerabilities. If an attacker were to exploit these vulnerabilities, there is a high likelihood of lateral movement within the environment. 

Mitigation Steps from Honeywell 

Honeywell has made the following recommendations: 

• Upgrade the affected systems to version R520.2. 
• Implement security best practices to limit unauthorized access. 
• Follow defensive measures, including network segmentation, secure remote access, and regular impact analysis and risk assessment. 

About The Rockwell Vulnerabilities 

Rockwell Automation discovered critical vulnerabilities in several of its communication modules. These vulnerabilities offer low attack complexity and are susceptible to remote exploitation. Given this access, attackers have the potential to infiltrate the running memory of the affected modules, leading to unauthorized activities. 

Affected Rockwell Products 

The vulnerabilities affect a vast range of Rockwell Automation products. The affected models include:

• 1756-EN2T, 1756-EN2TK, 1756-EN2TXT 
• 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT 
• 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT 
• 1756-EN2F, 1756-EN2FK 
• 1756-EN3TR, 1756-EN3TRK 
• 1756-EN4TR, 1756-EN4TRK 

Understanding the Risks 

The critical vulnerabilities within these models could potentially allow malicious users to: 

• Execute remote code. 
• Launch denial-of-service attacks. 
• Manipulate or exfiltrate data passing through the affected devices. 

These vulnerabilities have been assigned a severity rating with a CVSS v3 base score of 9.8 and 7.5. Their exploitation could lead to severe consequences like denial-of-service conditions, privilege escalation, or remote code execution. Successful exploitation may result in the loss of visibility or control of assets. 

A case in point is CVE-2023-3595, which could allow an attacker to persist within an asset, potentially installing backdoors and enabling lateral movement within the environment. 

Mitigation Steps from Rockwell Automation 

Rockwell Automation has taken decisive action to counter these vulnerabilities. The company recommends standard firmware updates for affected devices. 

Specific updates for each product are as follows:

• 1756-EN2T, 1756-EN2TK, 1756-EN2TXT (Series A, B, C): Update to 5.029 or later for signed versions. Update to 5.009 for unsigned versions. 
• 1756-EN2T, 1756-EN2TK, 1756-EN2TXT (Series D): Update to 11.004 or later. 
• 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT (Series A): Update to 11.004 or later. 
• 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT (Series A, B): Update to 5.029 or later for signed versions. Update to 5.009 for unsigned versions. 
• 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT (Series C): Update to 11.004 or later. 
• 1756-EN2F, 1756-EN2FK (Series A, B): Update to 5.029 or later for signed versions. Update to 5.009 for unsigned versions. 
• 1756-EN2F, 1756-EN2FK (Series C): Update to 11.004 or later. 
• 1756-EN3TR, 1756-EN3TRK (Series A): Update to 5.029 or later for signed versions. Update to 5.009 for unsigned versions. 
• 1756-EN3TR, 1756-EN3TRK (Series B): Update to 11.004 or later. 
• 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT (Series A): Update to 5.002 or later. 

Further, Rockwell Automation advocates following defensive measures like network segmentation, secure remote access, and regular impact analysis and risk assessment. 

Leveraging Verve to Address ICS Vulnerabilities 

The Verve Security Center offers a comprehensive suite of tools and services for detecting, assessing, and mitigating these potential risks. Here is how to use Verve to help address the Honeywell and Rockwell vulnerabilities: 

• Utilize Verve’s in-depth asset inventory, which interfaces directly with the endpoint, to identify impacted assets via their model and firmware versions quickly. 
• Take advantage of Verve’s detailed asset vulnerability profiles, enabling an efficient transition from asset inventory to specific vulnerability details. 
• Employ Verve’s network traffic monitoring feature to promptly spot and react to abnormal network connections. 

Additional Support for Verve Clients 

Verve stays committed to providing support in the face of these recent vulnerabilities. Clients are encouraged to contact their assigned Customer Success representative for individualized help and guidance if more support is needed. 

The Essential Role of OT Systems Management in Vulnerability Response 

The recent vulnerabilities discovered in Honeywell and Rockwell Automation systems are a stark reminder of the critical importance of vigilant OT systems management. Safeguarding assets and implementing CISA-recommended measures are fundamental to maintaining a secure operational environment.  

 The essence of this proactive strategy lies in its ability to empower operators to act decisively and promptly to mitigate risk rather than solely relying on public information and official updates. 

CISA’s Best Practices: The Foundation for Robust OT Systems Management 

The foundation of this approach is rooted in best practices for vulnerability management, with the guidance from the Cybersecurity and Infrastructure Security Agency (CISA) being still highly relevant: 

• Maintain an ICS asset inventory of all hardware and software. 
• Update software using a risk-based assessment approach. 
• Implement allowlisting on HMIs and workstations. 
• Isolate ICS/SCADA systems from corporate and internet networks using perimeter controls. 
• Disable unused ports and services on devices. 
• Enforce multi-factor authentication for remote access. 
• Change all passwords regularly and monitor password status. 
• Maintain known-good backups. 
• Protect systems with strong anti-virus and other endpoint detection capabilities. 
• Implement log collection and retention. 
• Leverage OT monitoring solutions to alert malicious behaviors. 

 These practices lay the groundwork for robust OT Systems Management, serving as the essential pillars in constructing a potent defensive strategy. 

Verve’s 360-Degree Risk Prioritization: The Complementing Layer 

Building upon this robust foundation, Verve designed a 360-degree risk prioritization model that enhances and refines the vulnerability management process. This model is an amalgamation of several key elements:  

• Enhanced Visibility: An endpoint view of assets, including hardware, software, firmware, patch level, users & accounts, supplies a deep and accurate understanding for prioritizing remediation actions. This approach, distinct from network traffic/packet inspection, ensures critical insights into system vulnerabilities.
   
• Comprehensive Risk Assessment: While vulnerabilities are important, the most significant risks to infrastructure often lie in weak access control, inadequate password management, and ineffective firewall and network protection rules. Verve combines all risk data into a single console, enabling informed trade-offs and a holistic view of system risks. 

• Vulnerability Prioritization: Using factors such as CISA Known Exploited Vulnerabilities and other sources, Verve prioritizes known software vulnerabilities, allowing for specific and targeted remediation efforts.
   
• RISK Prioritization: Verve’s ability as a controls system integrator enables the identification of assets and systems critical to operations. Combining vulnerability prioritization with other risk elements and asset criticality scores generates an overall risk score to guide remediation prioritization.

• Integrated Remediation: Acknowledging the challenge of executing remediation actions in OT environments, Verve seamlessly integrates remediation into the assessment platform. This streamlines the process, accelerating remediation timelines and enabling confirmation of completed actions.

• Real-Time Tracking: Regularly scanning systems for vulnerabilities and monitoring the effectiveness of remediation efforts can be challenging in OT/ICS environments. Verve’s platform solves this problem by providing updated vulnerability and risk scores every 15 minutes. This real-time view empowers organizations to track risk reduction progress and show tangible improvements over time.
   

The 360-degree risk prioritization model forms a complementary layer atop the foundational best practices. This combination leads to a comprehensive approach to vulnerability management that is both proactive and strategic, capable of responding to the ever-evolving challenges in the OT landscape. 

Verve’s Commitment to Strengthening OT Security 

The recent vulnerabilities in Honeywell and Rockwell Automation systems underscore the ongoing threats to critical infrastructure sectors. At Verve, we are committed to addressing these challenges and being your trusted partner in OT security. 

With our advanced vulnerability identification and mitigation capabilities, we offer a comprehensive solution to fortify OT security. Leveraging technologies like 360-degree risk prioritization and real-time tracking, we provide actionable insights and effective response measures. 

Whether you are an existing client or an organization grappling with vulnerabilities in Honeywell and Rockwell systems, we can help. Our dedicated team is ready to provide guidance, expertise, and strategic insights to enhance your OT security.